Android/iOS no connection established

[aquaghost]

Hello, please help solve the problem

Can not establish connection from Android/iOS clients to SoftEther vpn server.

Configuration:
Server - Ubuntu 13.10 + SoftEther vpn server 4.05 (x64).
[L2TP over IPSec] and [Raw L2TP with No encriptions] are enabled,
hub, user, bridge to lan...everything is ok
Clients - (1) iOS 6
(2) Android 4.2.1
all configured according to instructions on softether site,
all name&passwords are checked mutliple times

MS Windows based softehernet client connects to vpn server successfuly and the local network is available, which means that everything is configured correctly.

If some additional info is needed - please tell what to provide (and where to take this data from).

PS: Hope that DEVELOPMENT TEAM reads what we write here. I've looked through the forum and I've seen about 5 unanswered threads on this topic or very similar.
PPS: The solution with OpenVPN client for Android did not worked for me.

_______________________________________
Typical server log:

2014-02-16 03:39:17.706 IPsec Client 1 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:39:17.706 IPsec IKE Session (IKE SA) 1 (Client: 1) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xEACFD86DA18D$
2014-02-16 03:39:20.673 IPsec Client 2 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:39:20.673 IPsec IKE Session (IKE SA) 2 (Client: 2) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xEACFD86DA18D$
2014-02-16 03:39:23.679 IPsec Client 3 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:39:23.679 IPsec IKE Session (IKE SA) 3 (Client: 3) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xEACFD86DA18D$
2014-02-16 03:39:26.756 IPsec Client 4 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:39:26.756 IPsec IKE Session (IKE SA) 4 (Client: 4) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xEACFD86DA18D$
2014-02-16 03:39:27.711 IPsec IKE Session (IKE SA) 1 (Client: 1) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:39:27.711 IPsec Client 1 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:39:29.692 IPsec Client 5 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:39:29.692 IPsec IKE Session (IKE SA) 5 (Client: 5) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xEACFD86DA18D$
2014-02-16 03:39:30.677 IPsec IKE Session (IKE SA) 2 (Client: 2) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:39:30.677 IPsec Client 2 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:39:30.677 IPsec IKE Session (IKE SA) 2 (Client: 2) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:39:30.677 IPsec Client 2 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:39:32.698 IPsec Client 6 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:39:32.698 IPsec IKE Session (IKE SA) 6 (Client: 6) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xEACFD86DA18D$
2014-02-16 03:39:33.684 IPsec IKE Session (IKE SA) 3 (Client: 3) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:39:33.684 IPsec Client 3 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:39:35.775 IPsec Client 7 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:39:35.775 IPsec IKE Session (IKE SA) 7 (Client: 7) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xEACFD86DA18D$
2014-02-16 03:39:36.760 IPsec IKE Session (IKE SA) 4 (Client: 4) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:39:36.760 IPsec Client 4 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:39:38.771 IPsec Client 8 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:39:38.771 IPsec IKE Session (IKE SA) 8 (Client: 8) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xEACFD86DA18D$
2014-02-16 03:39:39.696 IPsec IKE Session (IKE SA) 5 (Client: 5) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:39:39.696 IPsec Client 5 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:39:41.778 IPsec Client 9 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:39:41.778 IPsec IKE Session (IKE SA) 9 (Client: 9) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xEACFD86DA18D$
2014-02-16 03:39:42.703 IPsec IKE Session (IKE SA) 6 (Client: 6) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:39:42.703 IPsec Client 6 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:39:44.724 IPsec Client 10 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:39:44.724 IPsec IKE Session (IKE SA) 10 (Client: 10) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xEACFD86DA1$
2014-02-16 03:39:45.780 IPsec IKE Session (IKE SA) 7 (Client: 7) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:39:45.780 IPsec Client 7 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:39:48.776 IPsec IKE Session (IKE SA) 8 (Client: 8) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:39:48.776 IPsec Client 8 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:39:51.782 IPsec IKE Session (IKE SA) 9 (Client: 9) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:39:51.782 IPsec Client 9 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:39:54.729 IPsec IKE Session (IKE SA) 10 (Client: 10) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:39:54.729 IPsec Client 10 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:53:27.001 IPsec Client 11 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:53:27.001 IPsec IKE Session (IKE SA) 11 (Client: 11) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x60CD518F54$
2014-02-16 03:53:29.998 IPsec Client 12 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:53:29.998 IPsec IKE Session (IKE SA) 12 (Client: 12) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x60CD518F54$
2014-02-16 03:53:33.024 IPsec Client 13 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:53:33.024 IPsec IKE Session (IKE SA) 13 (Client: 13) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x60CD518F54$
2014-02-16 03:53:36.021 IPsec Client 14 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:53:36.021 IPsec IKE Session (IKE SA) 14 (Client: 14) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x60CD518F54$
2014-02-16 03:53:37.006 IPsec IKE Session (IKE SA) 11 (Client: 11) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:53:37.006 IPsec Client 11 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:53:40.002 IPsec IKE Session (IKE SA) 12 (Client: 12) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:53:40.002 IPsec Client 12 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:53:41.832 IPsec Client 15 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:53:41.832 IPsec IKE Session (IKE SA) 15 (Client: 15) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x60CD518F54$
2014-02-16 03:53:42.033 IPsec Client 16 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:53:42.033 IPsec IKE Session (IKE SA) 16 (Client: 16) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x60CD518F54$
2014-02-16 03:53:43.029 IPsec IKE Session (IKE SA) 13 (Client: 13) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:53:43.029 IPsec Client 13 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:53:45.040 IPsec Client 17 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:53:43.029 IPsec Client 13 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:53:45.040 IPsec Client 17 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:53:45.040 IPsec IKE Session (IKE SA) 17 (Client: 17) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x60CD518F54$
2014-02-16 03:53:46.025 IPsec IKE Session (IKE SA) 14 (Client: 14) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:53:46.025 IPsec Client 14 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:53:48.046 IPsec Client 18 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:53:48.046 IPsec IKE Session (IKE SA) 18 (Client: 18) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x60CD518F54$
2014-02-16 03:53:51.043 IPsec Client 19 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:53:51.043 IPsec IKE Session (IKE SA) 19 (Client: 19) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x60CD518F54$
2014-02-16 03:53:51.837 IPsec IKE Session (IKE SA) 15 (Client: 15) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:53:51.837 IPsec Client 15 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:53:52.038 IPsec IKE Session (IKE SA) 16 (Client: 16) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:53:52.038 IPsec Client 16 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:53:54.049 IPsec Client 20 (213.45.179.17:500 -> 192.168.5.11:500): A new IPsec client is created.
2014-02-16 03:53:54.049 IPsec IKE Session (IKE SA) 20 (Client: 20) (213.45.179.17:500 -> 192.168.5.11:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x60CD518F54$
2014-02-16 03:53:55.044 IPsec IKE Session (IKE SA) 17 (Client: 17) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:53:55.044 IPsec Client 17 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:53:58.051 IPsec IKE Session (IKE SA) 18 (Client: 18) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:53:58.051 IPsec Client 18 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:54:01.047 IPsec IKE Session (IKE SA) 19 (Client: 19) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:54:01.047 IPsec Client 19 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.
2014-02-16 03:54:04.054 IPsec IKE Session (IKE SA) 20 (Client: 20) (213.45.179.17:500 -> 192.168.5.11:500): This IKE SA is deleted.
2014-02-16 03:54:04.054 IPsec Client 20 (213.45.179.17:500 -> 192.168.5.11:500): This IPsec Client is deleted.

[mesa57]

For L2TP you have to forward / open ports on the server side.

[aquaghost]

mesa57 wrote:
> For L2TP you have to forward / open ports on the server side.

Hello, mesa57

Thanks for your attention to my problem.
Please, check me:

What I did - is i forwarded the following ports:
1) 1701 TCP & UDP
2) 500 TCP & UDP
3) 4500 TCP & UDP

Is that a full list of ports to be forwarded, how do you think?
I'm willing to open additional ports, but still i do not understand why do you think that the point is in missed ports? As I mentioned, windows based softether client has no problems.

[qupfer]

aquaghost wrote:
> What I did - is i forwarded the following ports:
> 1) 1701 TCP & UDP
> 2) 500 TCP & UDP
> 3) 4500 TCP & UDP
>
> Is that a full list of ports to be forwarded, how do you think?
> I'm willing to open additional ports, but still i do not understand why do you think
> that the point is in missed ports? As I mentioned, windows based softether client
> has no problems.

For IPsec (what android/iOS are using) UDP 500 and UDP 4500 are enough. The Windows-client-software is using a different protocoll, so it can work independent of the IPsec Ports. But with these ports, it should work with iOS.

A alternativ idea: Use the offical openvpn client. You can modify the openvpn-config file to use the same ports, the windows client does.

And in what kind of network are the server, and what kind are you? Some restriktiv networks doesn't allow udp connection.

[aquaghost]

qupfer wrote:
> For IPsec (what android/iOS are using) UDP 500 and UDP 4500 are enough. The
> Windows-client-software is using a different protocoll, so it can work independent of
> the IPsec Ports. But with these ports, it should work with iOS.

Yes, I agree that it should, but for some reasons it does not. Maybe the problem is not in ports...To guess this errorous point I need help.

qupfer wrote:
> A alternativ idea: Use the offical openvpn client. You can modify the openvpn-config
> file to use the same ports, the windows client does.

I tried openvpn client. As it was said in "how-to" I changed the port in generated ovpn file to port 443. But I even do not get any log records when trying to connect.
Any way, I am interested in officially annonced way of setting up Android/iOS vpn clients...which does not work in my case.

qupfer wrote:
> And in what kind of network are the server, and what kind are you? Some restriktiv
> networks doesn't allow udp connection.
- Server is in simple "home-type" LAN, outer router interface recieves a dynamic white ip (i follow it by DDNS of softether.net). Router is fully managed by me. Port forwarding works fine so as other services work from out-side of the lan.
- Clients - are regular mobile devices, connecting through mobile provider.

I'll be grateful to any ideas "where to dig futher"

[qupfer]

aquaghost wrote:
> I tried openvpn client. As it was said in "how-to" I changed the port in
> generated ovpn file to port 443. But I even do not get any log records when trying to

Maybe a stupid question, but you are sure you forwarded 443 too?

What I would try now: Test, if the windows-client is working. If yes: Open the Windows-Client and look at the configuration, which port is used (i think the default one is 5555). Change the ovpn-file to this port, also change it from udp to tcp.
Now, ovpn is very similar to the (working) windows configuration. Try it.
If this work. Change back from tcp to upd, and try again.
If this work, change port to 500 and after that to 4500.

[desperados]

Hi
have you solved? I've same problem
thanks

[desperados]

if I connect with client in the same LAN of server, it works. if I try to connect with client out of the LAN, and therefore with server behind a firewall, it doesn't work. but tcp and udp ports are ok (if I NAT them to my windows server, L2TP/IPSec works).

[desperados]

it can be a problem with passthrough? there is something to setup in SoftEther?

[inten]

Users who have this problem skype me (select MSN account in my profile for a username). We have found a similar behavior and would like to test it out a bit faster.

[seanbirkhead]

I had a similar problem which I resolved by turning on Virtual NAT and Virtual DHCP on the server HUB

[desperados]

seanbirkhead wrote:
> I had a similar problem which I resolved by turning on Virtual NAT and
> Virtual DHCP on the server HUB

I tried on and off, but nothing changes, same problem. tomorrow I'll try something other... have you natted only 500 udp and 4500 udp and 1701 tcp/udp?

[seanbirkhead]

desperados wrote:
> seanbirkhead wrote:
> > I had a similar problem which I resolved by turning on Virtual NAT and
> > Virtual DHCP on the server HUB
>
> I tried on and off, but nothing changes, same problem. tomorrow I'll try something
> other... have you natted only 500 udp and 4500 udp and 1701 tcp/udp?


Correct. In fact I took the easy option on the router with one setting that natted both UDP and TCP ports with one rule but to check, I changed my rules to 4500 UDP, 500 UDP and 1701 TCP + UDP and I'm still working :-)

Also (I should have mentioned), it turned out that my Windows 7 (default) firewall was set to block all inbound traffic on public networks. I disabled Firewall completely on Windows 7 temporarily and got it working. Eventually I ended up adding a rule to allow 4500,500 and 1701 inbound on public , private and domain profiles and then turning on my firewall only blocking traffic that did not match any rule on all three profiles.

So, if you have any firewall at all running on the Softether VPN server I would suggest to turn it off just as a test and if that works , then you could then add similar rules to the profiles as above.

[seanbirkhead]

In summary,
the main things I had to do beyond the default Softether install and recommended config were :

Nat 4500,500 and 1701 on my internet router.

Open the same ports on my firewall on the vpn server

Turn on virtual NAT on the Softether HUB.

[dchusky]

seanbirkhead wrote:
> I had a similar problem which I resolved by turning on Virtual NAT and
> Virtual DHCP on the server HUB

[dchusky]

seanbirkhead wrote:
> I had a similar problem which I resolved by turning on Virtual NAT and
> Virtual DHCP on the server HUB


Thank you seanbirkhead. Your suggestion worked for my case. Now all devices, PC, Android and iOS are connected. I am not a network person, only project management and an UX person just helping out, but my system admin and developer have been reading docs and searching for the solution from the past few days. I will update team on changes and check security again. Thanks again.

[seanbirkhead]

dchusky wrote:
> seanbirkhead wrote:
> > I had a similar problem which I resolved by turning on Virtual NAT and
> > Virtual DHCP on the server HUB
>
>
> Thank you seanbirkhead. Your suggestion worked for my case. Now all devices, PC,
> Android and iOS are connected. I am not a network person, only project management
> and an UX person just helping out, but my system admin and developer have been
> reading docs and searching for the solution from the past few days. I will update
> team on changes and check security again. Thanks again.



You are welcome. Glad it helped

[desperados]

seanbirkhead wrote:
> Turn on virtual NAT on the Softether HUB.

do you mean "SecureNAT" ?

[avel]

SecureNAT with VirtualNAT enabled inside

[seanbirkhead]

desperados wrote:
> seanbirkhead wrote:
> > Turn on virtual NAT on the Softether HUB.
>
> do you mean "SecureNAT" ?

Whichever you prefer. Image of Button attached.

[attachment=0]Virtual NAT Button.PNG[/attachment]

[desperados]

solved
my problem was about routing, I fixed it and now it works!
1) NATted UDP 500 and UDP 4500
2) enabled SecureNAT and Virtual DHCP
however, ipad connect but not works, I try using hostname and ip but nothing happens, my android phone indeed is ok

[seanbirkhead]

desperados wrote:
> solved
> my problem was about routing, I fixed it and now it works!
> 1) NATted UDP 500 and UDP 4500
> 2) enabled SecureNAT and Virtual DHCP
> however, ipad connect but not works, I try using hostname and ip but
> nothing happens, my android phone indeed is ok


Did you NAT TCP 1701 Also?

[desperados]

no, it seems not needed

[seanbirkhead]

desperados wrote:
> no, it seems not needed


When my own iPad is connected to my Hub via L2TP I can see traffic on 1701 so it might be ...

[dnobori]

No need to allow UDP 1701.
Only UDP 500 and 4500 are necessary to accept L2TP/IPsec.

iOS (iPad and iPhone) has a bug to send raw L2TP (UDP 1701) sometimes. Such packets should be sent only in an IPsec tunnel to protect condifential data.
The reason is unknown because iOS is not an open-source.